In many of my earlier tutorials, I mentioned the complementary nature of hacking and forensics. Both disciplines, hacking and forensics, benefit from a knowledge of the other. In many cases, both disciplines will use the same tool. In this tutorial, we will use another tool that can be used in either discipline—Sysinternals—a suite of tools developed by Mark Russinovich.

These tools proved so effective that Microsoft purchased them in 1996 and continues to provide them free of charge. Originally, they were all command line tools, but since Microsoft purchased them they have put some pretty GUIs on many of the tools.

These are some of the best tools for in-depth analysis of a system. They can be excellent for doing onsite forensics of a live system or incident response analysis of a system you suspect has been hacked. For the hacker who can get physical access to a system or upload these tools to a system, it can provide invaluable information on the potential target.

Windows Sysinternals is particularly useful when we suspect a system has been hacked and we are trying to understand what processes the malware is using and how it is operating.

Step 1: Install Sysinternals

As I mentioned earlier, Microsoft provides Windows Sysinternals for free, and you can download it here. Once you have install it, you can look in the SysinternalsSuite folder and see the numerous tools available. Here is a list of the tools (in alphabetical order) and their function.

AccessChk - Lets you see what type of access users and groups have to files, directories, registry keys, etc.

AccessEnum - Full view of your file system and registry security settings.

As you can see from this list, there are some very powerful tools in this suite. Let's examine one of the most useful tools in this toolkit, Process Explorer.

Step 2: Open Process Explorer

In terms of digital forensics, Process Explorer can be one of the most useful Sysinternals tools. Simply click on the procexp icon in the SysinternalsSuite folder to get started.

Process Explorer lists each and every process and its child processes, its CPU use, private bytes, working set, PID, description, and company. If we suspect a malware infection, we can often find evidence of it in the Process Explorer as you can see below.

Step 3: Use Process Monitor to Examine a Process

Let's examine one process a bit closer. About two-thirds of the way down the following screenshot, you will see the Flash plug-in process which I suspect has been compromised.

If you have read my other articles here on Null Byte, you know that I think Adobe Flash Player is probably the worst application for security—and the best application for us hackers. Almost daily, new vulnerabilities and exploits are found in Flash Player.

Let's double-click on it and open its properties. As you can see in the screenshot below, this window reveals numerous properties of the selected process.

Now, we can click on Permissions to see who has permissions of this process. Notice in the screenshot below that besides System and the user (which I have obscured), an Unknown Account has permissions to use this process. Very suspicious! This would seem to warrant further investigation.

Step 4: Check Strings

Among the many bits of information we can glean from the process, we can extract any ASCII strings embedded in this process. Often, we can find key information about the process including any comments the developers left. Remember that when the FBI released the evidence against North Korea in the Sony hacking case, they cited comments within the malware code. This is one way they can extract those "strings."

While in the properties window of Flash, we can simply click on the Strings tab to see any ASCII text within the process.

The Sysinternals suite of tools can be a very powerful for examining the inner workings of a Windows system and its processes. It's worth investing the time of any digital forensic investigator, hacker, or system administrator in understanding these extraordinarily useful tools. In future tutorials, we will work some of the other Sysinternals tools, so keep coming back, my aspiring hackers!

3 Comments

really helpful but one problem after opening process explorer after searching different threades for diff process i found out that my demons tool has an unknown account and google chrome has the same...... does that mean my comp is under surveillance of a or multiple hacker????? Pls need advice what next move to be done.... and thx for ur wonderfull articles OTW. um also learning the basics of hack